On 02/14/2010 10:17 PM, Jafaruddin Lie wrote: > > We do have a CISCO ASA 5520 that the outgoing mailserver sits behind, > and I have done the no fixup protocol on the box to no avail. > I have also enabled ICMP from that box to our internal mail server, > and ping works so I figure the ICMP NO-FRAGMENT wouldn't be an issue > here now. > It sounds as though the issue surfaced about the same time the new security device came into play. If so, it might help to make that absolutely clear to everyone who reads this thread. Is this the only change in the environment? From what you've said above, it sounds like you're on the right track. Only thing I noticed is that you mentioned fixup (PIX) and not inspect (ASA). I don't have an ASA in front of me ATM (and honestly, I'm not all that good with them anyway), however something 'like' the following commands should get you to the right place if you don't have access to ASDM (assuming you haven't changed too much in the default configuration). There are plenty of examples all over the net if you use the correct search terms. Obviously, you should do a 'show run' to make sure my second assumption is correct (and that this could even be the problem).
{{{ policy-map global_policy class inspection_default no inspect esmtp }}} Don't forget to write, else it'll be gone on reboot if it works. Sorry, done that a couple of times myself, though I always dump my configs. A friendly reminder never hurts either way. BTW, here is a better example than the Cisco docs (IMO), probably should have just linked to there in the first place instead of the above gibberish. Oh well. http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean.